cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Macsec between 9500 and 3560cx

garyromine
Beginner
Beginner

I have a network that is building built out and I cannot get macsec to work between a 9500 and a 3850cx. It works between the 9500 and 9300s without a problem. All I am doing is switch-to-switch macsec at this time. I am also new to implementing macsec so I am not sure if I have it configured properly between the two platforms.

 

9500 (C9500-48Y4C)

Cisco IOS XE Software, Version 17.03.04

  License                 Entitlement Tag               Count Status

  -----------------------------------------------------------------------------

  network-advantage       (C9500 Network Advantage)         2 IN USE

  dna-advantage           (C9500 48Y4C DNA Advantage)       2 IN USE

-----------------------------------------------------------------------------

3560CX (3560CX-12PD-S)

Cisco IOS 15.2(7)E4

License Name                  Type          Period left

-------------------------------------------------------

ipservices                    PermanentRightLife time

ipbase                        Permanent     0  minute  0  second

dna-advantage                 Subscription  CSSM Managed

-------------------------------------------------------

This is the config side of the 9500

key chain mka-keychain macsec

key 01

lifetime 00:00:00 1 Jan 1993 infinite

cryptographic-algorithm aes-256-cmac

key-string <OMITTED>

 

interface Config

 macsec network-link

 mka pre-shared-key key-chain mka-keychain

 switchport trunk native vlan 101

 switchport trunk allowed vlan 101

 switchport mode trunk

 channel-group 2 mode desirable

spanning-tree link-type point-to-point

spanning-tree portfast network

udld port aggressive

auto qos trust

 

interface Port-channel2

 switchport trunk native vlan 101

 switchport trunk allowed vlan 101

 switchport mode trunk

 

interface Vlan101

 ip address XX.XX.XX.XX 255.255.255.254

 ip authentication mode eigrp 100 md5

 ip authentication key-chain eigrp 100 EIGRP

 ip pim sparse-dense-mode

 

This is the config side of the 3560cx

key chain mka-keychain macsec

key 01

lifetime 00:00:00 1 Jan 1993 infinite

cryptographic-algorithm aes-256-cmac

key-string <OMITTED>

 

interface Config

switchport trunk allowed vlan 101

 switchport trunk native vlan 101

 switchport mode trunk

 srr-queue bandwidth share 1 30 35 5

 priority-queue out

 macsec network-link

 udld port aggressive

 mka pre-shared-key key-chain mka-keychain

 mls qos trust cos

 auto qos trust

 spanning-tree portfast network

 spanning-tree link-type point-to-point

 channel-group 1 mode desirable

 

interface Port-channel1

switchport trunk allowed vlan 101

 switchport trunk native vlan 101

 switchport mode trunk

 

interface Vlan101

 ip address XX.XX.XX.XX 255.255.255.254

 ip authentication mode eigrp 100 md5

 ip authentication key-chain eigrp 100 EIGRP

 ip pim sparse-dense-mode

 

If I remove “macsec network-link” from the 9500 interface link everything comes up and works properly. I have also noticed that on the 9500 the sh macsec inter on the 9500 shows disabled but this seems to be consistent with the other switches until macsec is established. The only other thing I see and I don’t know how to address is when I run the sh mka keychains the latest CKN is different.

 

On the 9500 it looks like this:

MKA PSK Keychain(s) Summary...

 

Keychain         Latest CKN                                                       Interface(s)

Name             Latest CAK                                                       Applied

===============================================================================================

mka-keychain     01                                                               Twe2/0/46      Twe2/0/45

                 <HIDDEN>                                                         Twe2/0/43      Twe2/0/42

                                                                                  Twe2/0/41      Twe1/0/46

                                                                                  Twe1/0/45      Twe1/0/43

                                                                                  Twe1/0/42      Twe1/0/41

                 <HIDDEN>

 

On the 3560cx it looks like this:

 

MKA PSK Keychain(s) Summary...

 

Keychain         Latest CKN                                                       Interface(s)

Name             Latest CAK                                                       Applied

===============================================================================================

mka-keychain     0100000000000000000000000000000000000000000000000000000000000000 Te1/0/2        Te1/0/1

                 <HIDDEN>

 

To me that looks like the 3560cx is adding trailing zero but I don’t know if that is transmitted between to two switches in macsec negotiations.

 

I also get “%SPANTREE-2-BRIDGE_ASSURANCE_BLOCK:” in the log. I only have one 10GB fiber connection between the two switches.

 

Any ideas what I have configured wrong?

1 ACCEPTED SOLUTION

Accepted Solutions

marce1000
VIP Mentor VIP Mentor
VIP Mentor
2 REPLIES 2

marce1000
VIP Mentor VIP Mentor
VIP Mentor

 

             - FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs92023

 M.

Thanks for the help! I was using leading zeros, not trailing zeros. Also to note for anyone using this I have to create a key chain for the 9500 to 9300 series switches and another key chain for 9500 to 3560cx. 

Again, thanks for the quick help! 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: